architecting security & governance across your aws environment mark… · aws iam & sc...

Architecting security & governance across your AWS environment, protected by an integrated AWS Identity and Access Management

Marcus FritscheAWS Global Solutions Architectmafritsc@amazon.de

SUMMIT

Security, Access & Resource Boundary

API Limits/ThrottlingBilling Separation

AWS Account

SUMMIT

Account models

One Account

1,000s of Accounts

YourAccounts

SUMMIT

Why one account isn’t enough

BillingMany Teams;

Different Access

Security /

Compliance Controls

Business Process Isolation

(Apps, SaaS)

SUMMIT

Guardrails NOT Blockers Auditable Flexible

Automated Scalable Self-service

Goals for a mult i -account environment

SUMMIT

Account access & security considerations

Baseline Requirements

Enable !!!

Federate

Define and map

Establish

Identify

SUMMIT

What AWS accounts do we need for our secure, compliant mul t i -account env i ronment ?

SecurityShared

ServicesBilling-Admin

Dev ProdSandbox

OtherPre-Prod

Organizations Account

Log Archive Network

SUMMIT

AWS Organizations Master

Network Path

Data Center

No connection to

Data Center

Service control policies

Consolidated billing

Volume discount

Minimal resources

Limited access (e.g. restrict

AWS-Orgs role)

SUMMIT

Core accounts - OU

Core Accounts

Network Path

Data Center

Foundational

Building Blocks

Once per organization

Have their own

development life cycle

(dev/qa/prod)

SUMMIT

Log archive account

Core Accounts

Log Archive

Network Path

Data Center

Amazon S3 bucket(Versioned, Restricted,

MFA delete)

CloudTrail logs

Security logs

Single source of truth

Limited access &

alarm on user login

SUMMIT

Security account

Core Accounts

Log Archive

Network Path

Data Center

Optional data center

connectivity

Security tools and audit

GuardDuty Master,

FW-Manager

Cross-account read/write

Automated Tooling

Limited access

Security

SUMMIT

Shared services account

Security

Core Accounts

Log Archive

Network Path

Data Center

Connected to DC

LDAP/Active Directory

Shared Services VPC

Deployment tools

Golden AMIs

Pipeline

Scanning infrastructure

Inactive instances

Improper tags

Snapshot lifecycle

Monitoring

Limited access (IT-Ops)

Shared

Services

SUMMIT

Network account

Security

Core Accounts

Shared

Services

Log Archive

Network Path

Data Center

Networking services

AWS Direct Connect (DX)

AWS DX Gateway

TGW, Shared VPC,

AWS Client VPN

Limited access

Managed by network team

Network

SUMMIT

Developer sandbox (OU & SBX-accounts)

Security

Core Accounts

Shared

ServicesNetwork

Log Archive

Network Path

No connection to DC

Innovation space

Fixed spending limit

Autonomous

Experimentation

Developer

Sandbox

Developer Accounts

SUMMIT

Team/group accounts - OU

Developer

Sandbox

Security

Core Accounts

Shared

ServicesNetwork

Log Archive

Network Path

Developer Accounts Data Center

Based on level of needed

isolation

Match your development

lifecycle

Think Small

Team/Group Accounts

SUMMIT

Developer

Sandbox

Team/Group Accounts

Security

Core Accounts

Shared

ServicesNetwork

Log Archive

Network Path

Develop and iterate

quickly

Collaboration space

Stage of SDLCDev

SUMMIT

Pre-production

Developer

Sandbox

Team/Group Accounts

Security

Core Accounts

Shared

ServicesNetwork

Log Archive

Network Path

Connected to Data Center

Production-like

Staging

Testing Automated

Deployment

Pre-Prod

SUMMIT

Production

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core Accounts

Shared

ServicesNetwork

Log Archive

Network Path

Connected to Data Center

Production applications

Promoted from Pre-Prod

Limited access (RO-only?)

Automated Deployments

SUMMIT

Team Shared Services

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core Accounts

Shared

ServicesNetwork

Log Archive Prod

Network Path

Grows organically

Shared to the team

Product-specific common

services

Data lake

Common tooling

Common services

Team Shared

Services

SUMMIT

Multi-account approach

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core Accounts

Shared

ServicesNetwork

Log Archive Prod

Team Shared

Services

Network Path

Orgs: Account management

Log Archive: Security logs

Security: Security tools, AWS Config rules

Shared services: Directory, limit monitoring

Network: Direct Connect

Dev Sandbox: Experiments, Learning

Dev: Development

Pre-Prod: Staging

Prod: Production

Team Shared Service: Team Services, Data

Lake, common Cognito, …

SUMMIT

AWS Landing Zone structure - BasicAWS Organizations

Shared Services Log Archive Security

Organizations Account

• Account Provisioning

• Account Access (SSO)

Shared Services Account

• Active Directory

• Log Analytics

Log Archive

• Security Logs

Security Account

• Audit / Break-glass

SUMMIT

The AWS Landing Zone solution

An easy-to-deploy solution that automates the setup

of new AWS multi-account environments

Based on AWS best

practices and

recommendations

Initial security

and governance

controls

Baseline accounts

and account

vending machine

Automated

deployment

SUMMIT

Account vending machine

AWS Service Catalog

Account Vending Machine (via AWS Service Catalog)

• Account creation factory

• User Interface to create new accounts

• Account baseline versioning

• Launch constraints

Creates/updates AWS account

Apply account baseline stack sets

Create network baseline

Apply account security control policy

Account VendingMachine

AWS Organizations

Security

Log ArchiveAWS

Shared Services

New AWS

SUMMIT

The AWS Landing Zone solution

An easy-to-deploy solution that automates the setup

of new AWS multi-account environments

Based on AWS best

practices and

recommendations

Initial security

and governance

controls

Baseline accounts

and account

vending machine

Automated

deployment

SUMMIT

AWS Organizations (enable all Features Mode)

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core Accounts

Shared

ServicesNetwork

Log Archive ProdTeam Shared

Services

Developer Accounts

Single AWS

Account

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core AccountsAWS Organizations Master

Shared

ServicesNetwork

Services

Developer Accounts

SUMMIT

AWS IAM & AWS Organizations

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Shared

ServicesNetwork

Services

Developer Accounts

Single AWS

Account

* IAM Policies * SCPs (Service Control Policies)

* Manage ARN * Manage APIs

* Start from DENIED * Start from ALLOWED

* Assigned to Roles & Groups * Assigned to OUs and AWS Accounts

* Not for Root credentials, AWS Support,

CloudFront, Alexa, ...

SUMMIT

AWS IAM & SC Policies

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Shared

ServicesNetwork

Services

Developer Accounts

Single AWS

Account

• Choose a service

• Define actions for the service

• Apply resources for actions

• Specify condition for actions

• Effect: Deny or Allow

• Choose a service

• Define actions for the service

• Apply resource = “*”

SUMMIT

AWS IAM Policies

• JSON-formatted set of instructions

which define permission

• Contain a statement (permissions)

that specifies:

• which actions a principal can

perform

• which resources can be

accessed

"Statement":[{

"Effect":"effect",

"Principal":"principal", who

"Action":"action", what

"Resource":"arn", where

"Condition":{ if

"condition":{

"key":"value" }

SUMMIT

AWS IAM Policy: Resource & Conditions

• Resources & Services

Defined uniquely by an Amazon Resource Name (ARN)

• Contain a statement (permissions) that specifies:

• which actions a principal can perform

• which resources can be accessed

arn:aws:service:region:account:resource…

SUMMIT

IAM-Policies & SCPs

Policies

Organizations

SCP =Effective

Account

intersection

Service

SUMMIT

SCPs & IAM-Policies to protect

Organizations

Identity-

policy

Effective

permission

3 Allow: S3:*

Allow: EC2:*

Allow: SQS:*

Allow: EC2:*

IAM permissions

SUMMIT

Permissions Boundaries for IAM Entities (User or Role)

Set the maximum permissions that an identity-based policy can

grant to an IAM entity.

The entity can perform only the

actions that are allowed by both its identity-based policies and its

permissions boundaries.

SUMMIT

Organizations SCPs

Organizations

Permissions

boundary

Identity-

policy

Effective

permission

SUMMIT

Resource-based Policies

Resource-

based policy

Permissions

boundary

Identity-

policy

Effective

permission

SUMMIT

Session Policies

Session

policy

Permissions

boundary

Identity-

policy

Effective

permission

SUMMIT

IAM Policies - Evaluation Logic

SUMMIT

AWS Organizations (Cross account access)

Dev Pre-Prod

Security

Core Accounts

Shared

ServicesNetwork

ProdTeam Shared

Services

Developer Accounts

Log Archive

Team/Group Accounts

SUMMIT

AWS Organizations (No Cross account access)

Dev Pre-Prod

Security

Core Accounts

Shared

ServicesNetwork

ProdTeam Shared

Services

Developer Accounts

Log Archive

Team/Group Accounts

• Log Archive

• Security

• Backups

• PCI

SUMMIT

Access Best Practice

• Restrict Root and Master Account Access

• Monitor activities as Root and in the Org. Master

• Use consolidated User Management / SAML

• Use principal of “Least privilege” (Role-based Access)

• Assign SCPs to OUs and test with dedicates Ous

• Avoid “whitelisting” and “blacklisting”

SUMMIT

Next steps – Action required

• Build YOUR AWS account segmentation strategy

• Setup AWS Landing Zone / Control Tower

• Search train your Policy Ninja

• Iterate on SCPs and IAM Policies - automated using scripts!!!

• Use AWS Security Audits & WARs to check and challenge!

?? What did I said, you should not forget?

SUMMIT

Next steps – Action required

• Build YOUR AWS account segmentation strategy

• Setup AWS Landing Zone / Control Tower

• Search train your Policy Ninja

• Iterate on SCPs and IAM Policies - automated using scripts!!!

• Use AWS Security Audits & WARs to check and challenge!

• Enable

SUMMIT

… and contact me at mafritsc@amazon.de

Marcus Fritsche

SUMMIT

How GuardDuty Works

Threat intel,

Anomaly

Detection

Amazon

GuardDuty

And/OrRESPOND

MEDIUM

Findings

VPC flow logs

DNS Logs

CloudTrail

Events

Sources

Reconnaissance

Instance

Compromise

Account

Compromise

Threat Detection

SUMMIT

AWS Config

Continuously tracks resource configuration changes

Evaluates the configuration against policies defined using AWS Config rules

Alerts you if the configuration is noncompliant with your policies using Amazon SNS and Amazon CloudWatch Events

AWS Config = Continuous Configuration Auditor

Changing resources AWS Config

Notifications

API access

History, snapshot

Normalized

AWS Config rules

SUMMIT

Security and Compliance is a shared responsibility

architecting security & governance across your aws environment mark… · aws iam & sc...

Documents

playing in the sandbox - gstreamer security (gstreamer...

einführung „compliance mit aws" - aws security web day

aws security incident response guide - aws technical...

aws security reference architecture (aws sra)

aws security overview

aws security meetup: how to implement top 10 aws security...

state of the sandbox: investigating macos application...

aws webcast - understanding the aws security model

aws security whitepaper here. -...

agile and keyless cloud security response...acm, aws...

(sec201) aws security keynote address | aws re:invent 2014

cloud security (aws)

aws webcast - security best practices on aws

building the neo4j sandbox: aws, ecs, docker, python, neo4j,...

introduction to aws security - aws whitepaper · 01/07/2015...

aws security hub

aws: overview of security...

aws security overview - meetupfiles.meetup.com/8763012/bill...

aws cloud security

the 2014 aws enterprise summit - understanding aws security